Oracle 11g Security Enhancement(原创)

Secure Password Support

Oracle Database 11g provides several new ways to make database passwords more secure. Among these are the following new password-related features:

Case-sensitive passwords make databases more secure. I discuss this feature in the following sections.

You can include multibyte characters in a password without enclosing them in quotation marks.

All passwords entered by users are passed through the string hash algorithm (SHA-1, which uses a 160-bit key) and compared with the stored credential for that user.

Passwords always use salt, which is a random unique value added to the passwords to ensure a unique output credential.

Configuring Case-Sensitive Passwords

In Oracle Database 11g, for the first time, database passwords are case-sensitive by default. That is, when you create or modify a user account, the passwords are automatically case sensitive. You can control case sensitivity in the database by setting the new initialization parameter sec_case_sensitive_logon. Because, by default, the database now enforces password case sensitivity, the default value of this parameter is set to TRUE. Although Oracle recommends that you adhere to the new default of case- sensitive passwords, there may be times when you have to disable case sensitivity in order to be compatible with some applications that, say, use hard-coded, case- insensitive passwords. In such a case, you may reinstate the old-fashioned case insensitivity if you want, by changing the value for this parameter to FALSE.

SQL> alter system set sec_case_sensitive_logon=false;
System altered.

When you upgrade from Oracle Database 10g or an older release of the database to Oracle Database 11g, the passwords remain case insensitive. You must change the passwords for the users in order to make the passwords case sensitive. Use the following query on the DBA_USERS view to find out which of your users have case-sensitive passwords, as shown here:

SQL> SELECT USERNAME,PASSWORD,PASSWORD_VERSIONS

  FROM DBA_USERS;

USERNAME                       PASSWORD             PASSWORD_VERSIONS
------------------------------ -------------------- ------------------------
MGMT_VIEW                                           10G 11G
SYS                                                 10G 11G
SYSTEM                                              10G 11G
DBSNMP                                              10G 11G
SYSMAN                                              10G 11G
ORACLE_OCM                                          10G 11G

In the preceding query, the new Oracle Database 11g column PASSWORD_ VERSIONS shows the database release in which that password was originally created or changed. In this case, it shows that all passwords were either created in Oracle Database 10g (or earlier releases) and changed in Oracle Database 11g, or were created in Oracle Database 11g. When you upgrade from the Oracle Database 10g release to the Oracle Database 11g release, all passwords remain case insensitive. You must make the passwords case sensitive by using the alter user <username> identified by <new_password> command. If you create a new Oracle Database 11g database, on the other hand, the user accounts you create will have case-sensitive passwords by default.

Note that unlike in the previous releases, the PASSWORD column is blank. In the older releases, Oracle showed you the encrypted passwords. In Oracle Database 11g, you can’t see the encrypted passwords by querying the DBA_USERS view. The encrypted passwords, of course, are still stored—in the USER$ view. In Oracle Database 11g, user passwords are stored as a user credential after first passing them through a hash algorithm. Whenever you log in, the database hashes the password you enter and compares it with the stored credential. In Oracle Database 11g, when a user tries to connect with a wrong password, the database will delay subsequent login attempts after the third failed attempt. The database will gradually increase the delay between consecutive attempts, up to a maximum of about ten seconds.

Case Sensitivity and Password Files

In Oracle Database 11g, there is a new optional parameter you may specify when creating a new password file. The parameter, named ignorecase, determines whether the passwords in the password file are case sensitive or not. By default, the value of the ignorecase parameter is set to no (n), meaning that all passwords inside a password file will be automatically case sensitive. Here’s an example that shows how you specify the ignorecase parameter:

$ orapwd file=orapw entries=30 ignorecase=y
Enter password for SYS:

In the preceding example, the value of the ignorecase parameter is set to y, meaning the database will ignore the case in which you enter the password when logging into the database. When you import users from an older database release, the passwords of any users with the SYSDBA or SYSOPER privilege will be imported into your current password file. These passwords will be case insensitive by default and Oracle recommends that you have the users change their passwords. If you enable case sensitivity (setting the sec_case_sensitive_logon parameter to TRUE), when these users change their passwords they automatically become case sensitive.

Note the following differences in the usage of the orapwd command:

• The password parameter is optional now, whereas it was required before.
• The ignorecase parameter is new, as explained earlier.
• The nosysdba parameter is also new, but is relevant only if you’ve installed Oracle Database Vault.

New Password Management Function

Oracle provides a script named utlpwdmg.sql (stored in the $ORACLE_HOME/ rdbms/admin directory) to let you implement several password management features such as the setting of the default password resource limits. The script contains code for creating a password verification function named verify_function_11g, for checking password complexity. The function checks only for minimal password complexity and you can customize it to satisfy more complex password checks. Oracle offers both the old verify_function creation code and the code to create an updated Oracle Database 11g version of the function (verify_ function_11g). The new version of the function includes the following additional password protection features:

• Ensures that the password is at least eight characters long. In the previous release, the minimum length of the password was only four characters.
• Checks if the password is the same as the username reversed.
• Checks if the password is the same or similar to the server name.

The following alter profile statement in the utlpwdmg.sql script will first create the new 11g version of the verify_function and then alter the DEFAULT profile.

alter profile default limit
password_life_time 180
password_grace_time 7
password_reuse_time_unlimited
password_reuse_max_unlimited
failed_login_attempts 10
password_lock_time 1
password_verify_function verify_function_11g;
As you are aware from earlier releases, the database assigns the DEFAULT profile to all new users in the database who haven't been assigned a specific profile. It’s the default profile inherited by all users in the database. Note the last part of the SQL statement (password_verify_function verify_function_11g). This means that if you create the password verify function in your database as recommended by Oracle, any time a user (including the DBA) attempts to create a new password or to change an existing password, the database will execute the verify_function_11g function to ensure that the new password meets all the requirements specified by that function.

New Security-Related Initialization Parameters

You’ve learned about the new parameter sec_case_sensitive_logon, which allows you to control the case sensitivity of user passwords, thus reducing your vulnerability to brute force attacks. In addition, there are also these new parameters that affect security:

• sec_protocol_error_further_action: Specifies what action the database must take when it receives bad packets from a client, the presumption being that the client is acting with a malicious intent. The possible actions you can specify are: continue, drop the connection, or delay the acceptance of requests from the client.
  
• sec_protocol_error_trace_action: Specifies a monitoring action such as none, trace, log, or alert.
  
• sec_max_failed_login_attempts: Drops a connection after a specified number of failed login attempts. This policy remains enabled even if you don’t enable a password profile.
  
• ldap_directory_sysauth: Specifies whether the database uses strong authentication for database administrators. You must set the value of this parameter to yes if you want to implement strong authentication such as Kerberos tickets or certificates over a Secure Socket Layer (SSL). You disable strong authentication when you specify the value no for this parameter.

参考至:《McGraw.Hill.OCP.Oracle.Database.11g.New.Features.for.Administrators.Exam.Guide.Apr.2008》

              http://www.oracle-base.com/articles/11g/case-sensitive-passwords-11gr1.php

本文原创，转载请注明出处、作者

如有错误，欢迎指正

邮箱:czmcj@163.com